Ruby Findings

Time to upgrade your ruby installs. This advisory came out yesterday regarding 5 CVE’s impacting every current ruby release.

Officially impacted versions: 1.8 series

• 1.8.4 and all prior versions
• 1.8.5-p230 and all prior versions
• 1.8.6-p229 and all prior versions
• 1.8.7-p21 and all prior versions

1.9 series

• 1.9.0-1 and all prior versions

Read the advisory for remediation information. Matasano also has a great writeup on the advisory here. Wonder what it would take to blow out the rails params array with this (I’ll leave that to the professionals, I’d rather just patch it and move on right now). Scary stuff!

Update Per comments on the Ruby on Rails blog post you will break your rails install if you upgrade to 1.8.6-p230. And 1.8.7 is only compatible with Rails 2.1. You might want to test out the latest ruby with your app on a dev site before blindly upgrading your production ruby install.

If you want to put a little laugh back into the day, read Zed Shaw’s rant. And yes, there is actually some good info there, it’s worth a read.